Patch "tipc: fix kernel warning when sending SYN message" should be probably ported to 5.10 and 5.15 LTS
Hi,
We noticed that the patch 11a4d6f67cf5 should be ported to 5.10 and 5.15 LTS according to the bug introducing commit. Also, it can be applied to the latest version of these two LTS branches without conflicts. Its bug introducing commit is f25dcc7687d4. The kernel warning and stack trace indicate a problem when sending a SYN message in TIPC (Transparent Inter-Process Communication). The issue arises because `copy_from_iter()` is being called with an uninitialized `iov_iter` structure, leading to invalid memory operations. The commit (`f25dcc7687d4`) introduces the vulnerability by replacing the old data copying mechanisms with the new `copy_from_iter()` function without ensuring that the `iov_iter` structure is properly initialized in all code paths. The patch adds initialization of `iov_iter` with "iov_iter_kvec(&m.msg_iter, ITER_SOURCE, NULL, 0, 0);", which ensures that even when there's no data to send, the `iov_iter` is correctly set up, preventing the kernel warning/crash when `copy_from_iter()` is called.
On Tue, Jan 21, 2025 at 11:13:38PM -0800, Xingyu Li wrote:
Hi,
We noticed that the patch 11a4d6f67cf5 should be ported to 5.10 and 5.15 LTS according to the bug introducing commit. Also, it can be applied to the latest version of these two LTS branches without conflicts. Its bug introducing commit is f25dcc7687d4. The kernel warning and stack trace indicate a problem when sending a SYN message in TIPC (Transparent Inter-Process Communication). The issue arises because `copy_from_iter()` is being called with an uninitialized `iov_iter` structure, leading to invalid memory operations. The commit (`f25dcc7687d4`) introduces the vulnerability by replacing the old data copying mechanisms with the new `copy_from_iter()` function without ensuring that the `iov_iter` structure is properly initialized in all code paths. The patch adds initialization of `iov_iter` with "iov_iter_kvec(&m.msg_iter, ITER_SOURCE, NULL, 0, 0);", which ensures that even when there's no data to send, the `iov_iter` is correctly set up, preventing the kernel warning/crash when `copy_from_iter()` is called.
This change fails to build on those older kernels, which is perhaps why it was not backported there. If you wish to see it there, please provide a working backport.
thanks,
greg k-h
linux-stable-mirror@lists.linaro.org
-
Greg KH -
Xingyu Li